Lucene search
+L

61 matches found

Github Security Blog
Github Security Blog
added 2026/04/07 6:14 p.m.8 views

OpenClaw: Zalo replay dedupe cache could suppress events across authenticated webhook targets

Summary Before OpenClaw 2026.3.31, the Zalo webhook replay-dedupe cache was shared across authenticated webhook targets and keyed too broadly. In multi-account deployments, a replay seen on one account could suppress a legitimate event on another account if eventname and messageid matched. Impact...

5.9AI score
Exploits0References4Affected Software1
OSV
OSV
added 2026/04/07 6:14 p.m.6 views

GHSA-FQRJ-M88P-QF3V OpenClaw: Zalo replay dedupe cache could suppress events across authenticated webhook targets

Summary Before OpenClaw 2026.3.31, the Zalo webhook replay-dedupe cache was shared across authenticated webhook targets and keyed too broadly. In multi-account deployments, a replay seen on one account could suppress a legitimate event on another account if eventname and messageid matched. Impact...

2.3CVSS5.8AI score0.00274EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/03/26 3:11 p.m.6 views

CVE-2026-32053

OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe checks. Attackers can replay Twilio webhook events to trigger duplicate or stale call-state...

6.9CVSS5.8AI score0.00337EPSS
Exploits0References1
OSV
OSV
added 2026/03/21 3:31 a.m.7 views

GHSA-3R78-RQG8-95GG Duplicate Advisory: OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-vqx8-9xxw-f2m7. This link is maintained to preserve external references. Original Description OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized...

6.9CVSS5.7AI score0.00337EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/03/21 12:42 a.m.34 views

CVE-2026-32053 OpenClaw < 2026.2.23 - Twilio Webhook Replay Bypass via Randomized Event ID Normalization

OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe checks. Attackers can replay Twilio webhook events to trigger duplicate or stale call-state...

6.9CVSS0.00337EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/03/21 12:42 a.m.5 views

CVE-2026-32053 OpenClaw < 2026.2.23 - Twilio Webhook Replay Bypass via Randomized Event ID Normalization

OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe checks. Attackers can replay Twilio webhook events to trigger duplicate or stale call-state...

6.9CVSS5.8AI score0.00337EPSS
Exploits0References3
OSV
OSV
added 2026/03/21 12:42 a.m.5 views

CVE-2026-32053 OpenClaw < 2026.2.23 - Twilio Webhook Replay Bypass via Randomized Event ID Normalization

OpenClaw versions prior to 2026.2.23 contain a vulnerability in Twilio webhook event deduplication where normalized event IDs are randomized per parse, allowing replay events to bypass manager dedupe checks. Attackers can replay Twilio webhook events to trigger duplicate or stale call-state...

6.9CVSS6AI score0.00337EPSS
Exploits0References5
CVE
CVE
added 2026/03/21 12:42 a.m.23 views

CVE-2026-32053

CVE-2026-32053 affects OpenClaw versions prior to 2026.2.23. The root cause is a flaw in Twilio webhook event deduplication, where normalized event IDs are randomized per parse, allowing replayed webhook events to bypass dedupe checks. This can cause duplicate or stale call-state transitions, lea...

6.9CVSS5.8AI score0.00337EPSS
Exploits0References3Affected Software1
Github Security Blog
Github Security Blog
added 2026/03/03 11:8 p.m.11 views

OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing

Summary When Nextcloud Talk webhook signing was valid, replayed requests could be accepted without durable replay suppression, allowing duplicate inbound processing after replay-window expiry or process restart. Details OpenClaw's Nextcloud Talk webhook path verified HMACsecret, random + body but...

6.5CVSS5.9AI score0.00267EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/03/03 11:8 p.m.6 views

GHSA-R9Q5-C7QC-P26W OpenClaw's Nextcloud Talk webhook replay could trigger duplicate inbound processing

Summary When Nextcloud Talk webhook signing was valid, replayed requests could be accepted without durable replay suppression, allowing duplicate inbound processing after replay-window expiry or process restart. Details OpenClaw's Nextcloud Talk webhook path verified HMACsecret, random + body but...

5.3CVSS5.9AI score0.00267EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/03/03 10:25 p.m.13 views

OpenClaw's voice-call Twilio replay dedupe now bound to authenticated webhook identity

Summary The voice-call Twilio webhook path accepted replay/dedupe identity from unsigned request metadata i-twilio-idempotency-token, enabling replayed signed requests to bypass replay detection and manager dedupe by mutating only that header. Affected Packages / Versions - Package: openclaw npm ...

6AI score
Exploits0References3Affected Software1
OSV
OSV
added 2026/03/03 10:25 p.m.3 views

GHSA-GCJ7-R3HG-M7W6 OpenClaw's voice-call Twilio replay dedupe now bound to authenticated webhook identity

Summary The voice-call Twilio webhook path accepted replay/dedupe identity from unsigned request metadata i-twilio-idempotency-token, enabling replayed signed requests to bypass replay detection and manager dedupe by mutating only that header. Affected Packages / Versions - Package: openclaw npm ...

3.7CVSS6AI score
Exploits0References3
Github Security Blog
Github Security Blog
added 2026/03/03 7:16 p.m.10 views

OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse

Impact Twilio webhook replay events could bypass voice-call manager dedupe because normalized event IDs were randomized per parse. A replayed event could be treated as new and trigger duplicate or stale call-state transitions. Affected Packages / Versions - Package: openclaw npm - Vulnerable...

6.9CVSS5.9AI score0.00337EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/03/03 7:16 p.m.2 views

GHSA-VQX8-9XXW-F2M7 OpenClaw's voice-call Twilio webhook replay could bypass manager dedupe because normalized event IDs were randomized per parse

Impact Twilio webhook replay events could bypass voice-call manager dedupe because normalized event IDs were randomized per parse. A replayed event could be treated as new and trigger duplicate or stale call-state transitions. Affected Packages / Versions - Package: openclaw npm - Vulnerable...

6.9CVSS5.9AI score0.00337EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2026/03/03 12:0 a.m.11 views

PT-2026-26224

Summary When Nextcloud Talk webhook signing was valid, replayed requests could be accepted without durable replay suppression, allowing duplicate inbound processing after replay-window expiry or process restart. Details OpenClaw's Nextcloud Talk webhook path verified HMACsecret, random + body but...

6.5CVSS5.8AI score0.00267EPSS
Exploits0References9
Tenable Nessus
Tenable Nessus
added 2026/01/16 12:0 a.m.6 views

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: kernel (UTSA-2026-000925)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-000925 advisory. Race condition in the ioctlfilededuperange function in fs/ioctl.c in the Linux kernel through 4.7 allows local users to cause a denial of service heap-based buffer...

7.4CVSS8AI score0.00949EPSS
Exploits1References8
Tenable Nessus
Tenable Nessus
added 2026/01/15 12:0 a.m.5 views

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-002926)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-002926 advisory. Race condition in the ioctlfilededuperange function in fs/ioctl.c in the Linux kernel through 4.7 allows local users to cause a denial of service heap-based buffer...

7.4CVSS8AI score0.00949EPSS
Exploits1References8
RedhatCVE
RedhatCVE
added 2026/01/09 9:3 a.m.9 views

CVE-2024-39897

zot is an OCI image registry. Prior to 2.1.0, the cache driver GetBlob allows read access to any blob without access control check. If a Zot accessControl policy allows users read access to some repositories but restricts read access to other repositories and dedupe is enabled it is enabled by...

4.3CVSS4.2AI score0.00298EPSS
Exploits0References1
EUVD
EUVD
added 2025/10/03 8:7 p.m.5 views

EUVD-2024-2258

Malicious code in bioql PyPI...

4.3CVSS6.3AI score0.00298EPSS
Exploits0References4
OSSF Malicious Packages
OSSF Malicious Packages
added 2025/08/14 6:52 p.m.3 views

Malicious code in dedupe-chunks-webpack-plugin (npm)

The package dedupe-chunks-webpack-plugin was found to contain malicious code...

7AI score
Exploits0
Rows per page
Query Builder